Results 1 to 6 of 6

Thread: Vulnerability Scan - BEAST Attack

  1. #1
    myarmush is offline Member
    Join Date
    Jul 2012
    Location
    Princeton, NJ
    Posts
    11
    Rep Power
    3

    Default Vulnerability Scan - BEAST Attack

    A vulnerability scan was run against our Zimbra server and it showed that we were vulnerable to BEAST attack.

    On other servers (Apache/OpenSSL) I am able to mitigate this by setting the cipher order. On Zimbra, I can set the cipher suite but I haven't found any documentation on how to set the order.

    Can this be done? If not, how can BEAST be mitigated for Zimbra?

    Regards,
    Moe
    Release 7.2.2_GA_2852.RHEL6_64_20121204211952 RHEL6_64 NETWORK edition.

  2. #2
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    10

    Default

    There is at least one other thread here in the forums which describes restricting the ciphers Zimbra accepts; to my recollection the thread is more than a year old and covers a previous version of Zimbra.

    Hope that helps,
    Mark

  3. #3
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,580
    Rep Power
    57

    Default

    Quote Originally Posted by LMStone View Post
    There is at least one other thread here in the forums which describes restricting the ciphers Zimbra accepts; to my recollection the thread is more than a year old and covers a previous version of Zimbra.
    There's even a wiki article on the subject.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    myarmush is offline Member
    Join Date
    Jul 2012
    Location
    Princeton, NJ
    Posts
    11
    Rep Power
    3

    Default

    Thanks for the input guys.

    I have already restricted the cipher suites that Zimbra accepts by using zmprov mcf +zimbraSSLExcludeCipherSuites xxxxx and I set the SSL/TLS settings in Postfix by following the Wiki article at Postfix PCI Compliance in ZCS - Zimbra :: Wiki.

    In other technologies, e.g. Apache Http, I can set the order of the cipher suites without totally excluding them.
    This effectively mitigates BEAST, i.e. an SSL scan from ssllabs.com shows that my web server is not vulnerable to BEAST.

    My question is: can I set the "order" of the ciphers suites without restricting them entirely?

    Regards,
    Moe
    Release 7.2.2_GA_2852.RHEL6_64_20121204211952 RHEL6_64 NETWORK edition.

  5. #5
    lindsey is offline Senior Member
    Join Date
    Feb 2008
    Location
    Urbana-Champaign, IL
    Posts
    68
    Rep Power
    7

    Default

    Did anything ever come of this?

    I'm hardening a Zimbra server as well and am running into the same issue. Block cipher suites are vulnerable, but RC4 suites are not. Putting RC4 first prevents the vulnerable cipher suites from being used.

    Does Zimbra allow administrators to order the ciphers?
    Last edited by lindsey; 08-06-2013 at 09:11 PM.

  6. #6
    myarmush is offline Member
    Join Date
    Jul 2012
    Location
    Princeton, NJ
    Posts
    11
    Rep Power
    3

    Default

    It's been a couple of months but I think in the end there is no way to order the cipher suites in Java.

    I had to block all block suites and only allow the RC4 suites.

    Side note: I used https://www.ssllabs.com/ssltest/index.html to test the SSL and ran it again today and saw there is a vulnerability in RC4 suites too. Currently, I don't think there is a practical attack but it is something to keep in mind.

    My current cipher settings in postfix are:

    tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
    tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
    tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
    tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
    tls_null_cipherlist = eNULL:!aNULL

    Hope that helps.

    Regards,
    Moe
    Release 7.2.2_GA_2852.RHEL6_64_20121204211952 RHEL6_64 NETWORK edition.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. SSL certificate related vulnerability
    By k_k in forum Administrators
    Replies: 3
    Last Post: 04-11-2011, 06:30 AM
  2. Vulnerability check for zcs 6.0.6.1
    By chandu in forum Administrators
    Replies: 1
    Last Post: 06-11-2010, 03:57 AM
  3. Spamassassin vulnerability
    By iway in forum Administrators
    Replies: 1
    Last Post: 03-17-2010, 04:55 PM
  4. vulnerability issue
    By chandu in forum Administrators
    Replies: 9
    Last Post: 02-23-2009, 05:04 AM
  5. -=ClamAV Vulnerability=-
    By SpEnTBoY in forum Administrators
    Replies: 0
    Last Post: 06-04-2007, 08:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •